1.
Introduction

The Malaysian Government Multipurpose Card (GMPC) or MyKad is a standard
credit-card-sized plastic token with an embedded microchip. It has been issued
progressively since 2001, with the intention of being obligatorily used by the
entire population of 18 years and over by the end of 2005 (or perhaps 2007).

The card displays several items of data, carries several categories of data in
the chip, including a biometric, is used by multiple government agencies, and
has been designed for extensibility and 'function creep'. It is subject to
highly inadequate protections.

Various reports state that versions of the card have been issued bearing
respectively a 32Kb and a 64Kb EEPROM (Electrically Erasable Programmable
Read-Only Memory) chip, using the M-COS operating system. The larger version
supports a digital signature key and digital signing (often mistakenly referred
to as PKI). It is unclear to what extent each of the various applications is
used.

This document provides some background resources related to MyKad.

2.
The 'New Scientist' Report on the Launch of MyKad

The world's first national smart card scheme to store biometric data on an
in-built computer chip has been introduced in Malaysia. The cards are
compulsory for Malaysia's citizens and are encoded with a copy of the owner's
fingerprints.

Pressure is growing in other countries for improved identification schemes,
especially since the recent terrorist atrocities in the US.

"A lot of governments including the US will be looking at better identification
systems to monitor the movement of people within their countries after the
terror attacks," said Wan Mohamad Ariffin, smart card project director at
Malaysia's National Registration Department. "We are willing to share our
technology. It could be part of the solution to the security issue."

Although the strongest opposition to such schemes will probably come from civil
liberties groups, technical experts also say that such measures will not thwart
criminals or determined terror groups.

Identity theft

Ross Anderson, an expert in computer security at Cambridge University, says
that smart cards may make forging ID cards harder but they are unlikely to
provide a complete solution.

"You can maybe exert some downward pressure on identity theft by incorporating
machine readable fingerprints of some kind or another," Anderson told New
Scientist. "But, in this situation, making identity cards harder to forge is
solving the wrong problem."

Anderson says that terrorist groups will simply subvert the system another way,
by using a stolen birth certificate, for example. He also points out that,
unless an individual has been identified by the authorities as a threat, smart
cards will not help.

Nevertheless, smart cards should make fraud more difficult. Although most cards
will give up their digital secrets to a determined expert, combined with
digital signatures they make forgery more complicated.

This is important because the Malaysian government has said that the new cards
are likely to be used to authorise financial payments and withdraw cash, as
well as identify individuals to the authorities.

Digital signature

Markus Kuhn, also at Cambridge University's computer science department, says
that the biometrics stored on a modern smart card will be authenticated by a
central authority when the card is created, in the form of a digital
signature.

This means that even if a card is stolen and a new fingerprint data inserted,
anyone with a government scanner could recognise it as fake. "You can put a new
fingerprint on the card but not forge its overall signature," Kuhn says.

But opposition to this type of smart-card system remains from civil
libertarians. "I don't think that these will stop terrorist acts," says Yaman
Akdeniz, director of Cyber-Rights & Cyber-Liberties. "They are more
controlling measures. They let a government track you and know more about
you."

The US government is currently increasing its capacity to track citizens. The
Combating Terrorism Act of 2001, proposed shortly after the devastation of New
York and Washington DC, would increase the powers of federal agents to wiretap
individuals.

3.
The Privacy International Report

Since 1999, the Malaysian government has begun gradually phasing in a
multi-purpose national ID smart card, that it intends all Malaysians to adopt
by 2005.[31] The card, known as "MyKad," incorporates both photo
identification and fingerprint biometric technology and is designed with six
main functions: identification, driver's license, passport information
(although a passport is still required for travel overseas), health information
(blood type, allergies, chronic diseases, etc.), and an e-cash
function.[32] The card can also function as an ATM card, although it
is MyKad's least attractive feature and banks have discouraged customers from
using the card for such purpose.[33] There are plans for adding additional
applications for digital signatures for e-commerce transactions.[34]

The Malaysian government originally proposed placing the religious affiliation
of all citizens on the cards, but complaints from the country's non-Muslim
ethnic groups prompted the government to limit identification to Muslims only.
In January 1999, it was announced that Islamic religious authorities in the
capital, Kuala Lumpur, would be equipped with portable card readers in order to
instantly verify the vows of Muslim couples found in "close proximity." In his
2002 budget speech, the Prime Minister proposed adding marital status and
voting constituency information to the cards for the benefit of religious
authorities and to minimize electoral fraud, respectively. Both proposals were
sharply criticized by opposition Member of Parliament Teresa Kok as being an
unnecessary invasion of privacy.[35] The anonymity of balloting is already a
matter of concern for privacy advocates, even without MyKad. Traditional
ballots are marked with a serial number that can be matched against a voter's
name. While there is no evidence that the government has ever tracked
individual votes, some opposition leaders allege that the potential to do so
has had a chilling effect on some voters, particularly civil servants.

With so much personal information stored on the MyKad, even proponents of the
card have acknowledged inherent privacy risks: "[h]aving the smart card will
probably increase theft . . . because the attraction is there. There is a lot
of personal information stored [on the card], including buying patterns which
would attract (card cloning) syndicates," according to industry analyst
Jafizwaty Ishahak. Recently, the National Registration Department (NRD)
admitted that the practice of surrendering identity cards to security
guards before entering certain premises may need to be changed because
of privacy concerns.[36] The Consumers Association of Penang has argued that
the cards make individuals' personal and confidential information too
vulnerable and has recommended that the proposed Personal Data Protection Act
address these risks specifically.[37]

The Federation of Malaysian Consumers Associations criticized the
government for not implementing clear guidelines or consulting with the public
on how MyKad is to be used, by whom and for what purpose. The Federation also
challenged the security of the system, contending that the storage of personal
information in a centralized database makes it vulnerable to tampering and
sabotage. Later, in 2004, the Bar Council chief severely criticized the
security and privacy risks related to the use of MyKad, and sought strong
privacy laws to protect card holders against potential misuse, pointing out
that personal data contained on the card could easily be accessed.[38] It is
widely known that anyone with a card reader can access all information
contained in the card.[39] In response to such critiques, the
government is now reportedly drafting a bill to ensure the privacy of MyKad
users and protect the information stored against unauthorized use.[40]

Users can access personal information on their cards at government kiosks and
offices, after biometric authentication of their fingerprint. Access to
personal information by others is hierarchical or compartmentalized. For
example, only certain medical officers have access to sensitive health
information. However, access to some personal information held in the
MyKad system seems to be available, remotely via a network, to a wide range of
third parties, including hotels, restaurants and ticket agents. Determining who
has access to what information and for what purpose remains opaque for
Malaysians.

MyKad is currently optional, but it automatically replaces other forms
of expired identification and is quickly becoming a de facto requirement to
access certain government and private-sector services. In December
1998, the government began requiring cyber cafés to obtain name,
address, and identity card information from patrons. However it lifted this
requirement in March 1999.[41] In some cases there may be penalties for
not carrying the card. In 1998, the government announced that persons not
carrying identification cards risk being detained by immigration
authorities.[42] It is the government's intention that all of
Malaysia's population over the age of 12 will be registered in the MyKad system
by 2005. Those under the age of 12 are encouraged to apply for a junior version
of the MyKad, which differs only in its lack of a photograph and thumbprint
biometric.

[31] "Privacy of MyKad Holders to Be Protected by Law," New Straits Times, May
19, 2004, at 6.

[32] "Wise Up to Role of Smart Card," The Star, December 15, 2002.

[33] "Privacy of MyKad Holders to Be Protected by Law," supra. See also "Free
Upgrade of MyKad to 64K," New Straits Times, June 16, 2004, at 5.

[34] "Card Sharps," The Bulletin (Australia), May 14, 2003; Joe Celko, "The
Road to Dystopia: How much Information Can the Government Control?" Intelligent
Enterprise, May 9, 2002. See also Rozana Sani, "Utilising PKI Applications in
MyKad," New Straits Times, December 18, 2003, at 4.

4.
A Report from Justice, UK

49. Malaysian Identity Cards, known to its citizens as ICs and to the
Government as the `MyKad', were first introduced by the British in
pre-independent Malaya to help control the communist insurgency. Today, the
card has a multi-purpose smart chip and looks very much like an ordinary
credit card, incorporating a host of technological features.
Malaysia's technological development has far out-paced the development
of the legal system, and identity cards provide such an example. The advances
in data storage technology have not been matched with adequate legal
protection and safeguards.

50. The Malaysian Constitution does not provide for the issuance of ID cards.
The National Registration Act 1959 (the 1959 Act)
provides for the establishment and maintenance of a registry of all
persons in Malaysia (Section 4 of the 1959 Act) and that every person
in Malaysia be registered under the Act (Section 5 of the 1959 Act). The
Register extends to all residents of Malaysia, and includes noncitizens who
work or reside there. More importantly, the 1959 Act gives the
Minister in charge of the National Registration Department,
historically the Home Affairs Minister (the equivalent of the British Home
Secretary), extremely wide and discretionary powers in respect of
virtually every aspect of the national identity system under Section
6.

51. Under the 1959 Act, Malaysians citizens and permanent residents above the
age of 12 years are eligible to apply for and ID card. Because an ID card is
required for many legal activities, including opening bank accounts or dealing
with the state, most Malaysian apply for an ID card when the reach the age of
12. Under the National Registration Rules 1990, every citizen or
permanent resident over the age of 18 is required to apply for an ID
card, and late applicants are fined a nominal sum.

52. The new ID cards are `smart cards' with an embedded 64K chip in
each card that carries the personal information of the holder. The face of
the card no longer has the holder's thumbprints, but has his or her ID number,
full name, address, nationality, sex, and photograph. These cards
are called the Government Multipurpose Card (GMPC) and were
introduced as part of the Government's IT initiative, the Multimedia Super
Corridor. The GMPC was marketed to the public as `MyKad'.
Significantly, the Government sees the card as an interface device with not
only government agencies, but also the private sector. The MyKad
project is run by five different agencies, all of which have access to the data
on the card - the National Registration Department (NRD) as the lead agency;
the Road Transport Department (RTD); Royal Malaysian Police (RMP); Ministry of
Health (MOH); and the Immigration Department (IMM).

53. The new ID cards replace the old identification cards and, if individuals
choose, the driving license. In addition, it uses chip and biometrics
identificationtechnology to identify individuals, can allow the Police
and the Road Traffic Agency to access its information (driving license version
only), and supplements the Malaysians International passport to facilitate
efficient exit and re-entry from Malaysian Immigration checkpoints.
Currently, even Malaysian passports are chip based. The new cards will be
used for intra-Malaysia travel and by Malaysians when leaving or re-entering
the country. Basic and critical medical information, such as
allergies and blood type, are also stored in the chip. The new card,
once registered with a local bank, can be used as an ATM or debit card
[not recommended by banks], and once registered with the national
transportation payment system, Touch n' Go, can be used to pay for things like
bus tickets or road toll fares. The card can be used in lieu of three
different bankcards.

54. The Public Key Infrastructure (PKI) in every MyKad[sic - the 'infrastructure' is external to the card] enables
users to conduct secured e-commerce and transactions using a digital
certificate over networks such as the Internet. Authenticity and integrity of
the data is protected and inaccessible to anyone, apart from the relevant
government agencies and the owner of the MyKad. Information contained
in the chip can be accessed using three different devices, all of which are
largely inaccessible to the public, but will soon be carried by the
police.

55. Issues relating to the cards can be divided into legal and technological
categories.

56. The Personal Data Protection Act was passed in 2002 and
provides similar safeguards as the UK's Data Protection Act 1998, including
the appointment of a Data Protection Commissioner. However, the Act
has yet to come into full effect, on the grounds that it will be a
burden to businesses. There are no other safeguards against the
abuse and privacy of data in the new ID cards. Even the Malaysian
Constitution does not provide for the protection of privacy.

57. The Malaysian Government asserts that the new ID cards employ
state-of-the-art technology that incorporates multiple layers of security
features: `these features include the card authentication using symmetric key
cryptography, a multi applications Operating Systems with firewalls and a
secure chip platform.' However there is real concern that there are no
adequate protections for personal data. The smart card readers can be used by
virtually any government agency. Further, the willingness to share data with
the private sector without the prior consent of the citizen concerned is
worrying.

58. A joint survey by the Electronic Privacy Information Centre in Washington
and Privacy International in the UK summed up the risks: Users can access
personal information on their cards at government kiosks and offices, after
biometric authentication of their fingerprint. Access to personal information
by others is hierarchical or compartmentalized. For example, only certain
medical officers have access to sensitive health information. However, access
to some personal information held in the MyKad system seems to be available,
remotely via a network, to a wide range of third parties, including hotels,
restaurants and ticket agents. Determining who has access to what information
and for what purpose remains opaque for individual Malaysians.
40

59. Malaysia leads the world in the frequency and scope of everyday use of ID
cards. However, the system employed is not without problems. Although the
issuing and scanning procedures appear to be sound, there are significant
concerns over the lack of legal and technological provisions to ensure data
protection; a fact which is particularly worrying considering the wide range
of personal information stored. Concerns have been voiced about both
function creep and access to information with regard to the draft Bill in the
UK, and the Malaysian experience highlights the fact that any legislation
needs to incorporate strict controls on access to, and subsequent use of,
personal information.

The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.